Thursday, March 22, 2012

The C++ UNIX Socket Interface allows for easy captureand release of IP, IP6, ICMP, ICMP6, UDP, UDP6, TCP, TCP6,and ARP packets. This can be extended of corse. You canregister your own Layer2 functions (RAW sockets and IP/eth dnetinterfaces are included) to support any kind of NIC orlayer you wish. The default capture layer is libpcap.

Writing a multi protocol traceroute like program is as easyas this.The whole online documentation is here.

I use this lib for my own tools, and I will even changethe API if I face shortcomings. I'll try to keep that stable,but the preference is that my own stuff is working.You have been warned, so do not blame me for potentialchanges. I know that this might be a bit un-socialon a social platform like github, but I used to haveno friends in social networks anyway. :)

I tested libusi++ on Linux and FreeBSD. When I started theproject >10 years ago, it even worked on OpenBSD.

Tuesday, March 20, 2012

For now it contains ssh-sign, which allows to use yourexisting SSH hostkeys to encrypt/decrypt (RSA)or sign (RSA and DSA) files. You can verify the signedfiles against your ~/.ssh/known_hosts after fetching.

This for instance allows to add integrity to pure HTTPdownloads if you have the SSH hostkey handy since you oncessh'ed to that host.

Friday, March 9, 2012

I am tickling developers about unreadable code, evenif its secure, the whole day at work. So its just fairthat I try to write code as clean as possible myself.While there are different views on what resembles cleancode (in my personal view its the possibility toadd concurrency and new features without a large re-writeand still keeping an easy overview, IOW you canrefactor your code fast), conditional compilation isusually seen as one of the evils.

Conditional compilation, aka #ifdef's, are even mentionedin Effective C++. For small code snippets it might be acceptable,but traditionally #ifdef's are used to make programs compileon various UNIX flavors.That makes code unreadable and potentiallybuggy, in particular if the #ifdef's guard differentcall semantics for the same function, just like sendfile().

I decided to remove the #ifdef's alltogether from lophttpd,by introducing a flavornamespace, and implementing a genericfunction for each flavor. That moves the conditionalcompilation logic to the Makefile or configure script.Thats one of the commits for it.

No praying without paying: We buy the easy reading and cleancode by a little bit of code duplication for similarflavors (for example sendfile() on Linux and Android flavor)but thats at the time of writing/maintaining, not at runtime.The other price is that you buy another function callfor code that could have been inlined. But as a whole,thats cheap today, compared to the hassle one can have.

I am not banning #ifdef's, there are good reasonsfor some of them and if you write code at the Linux driver-(or rootkit-) level with a lot of API changes betweenkernel versions, its sometimes the best way to go.Yet, sometimes if you look at the code, it just feels wrongand thats the point where you should change it.

Friday, March 2, 2012

Systemd is the Dekstop replacement for /sbin/init, aimingto faster boot Linux desktop systems and to better integrateuser session tracking etc.. Part of systemd is systemd-logindwhich exactly does that by creating files (ore moreprecisely hardlinks and symlinks) inside the /run/userdirectory upon X11 desktop logins. Such work was commonlydone by desktop managers like gdm (CVE-2011-0727) or kdm(CVE-2010-0436). Both failed to securely handle filesinside user owned directories, and so does systemd-logind.

The header shows you where the problem is. We actually needto race two unlink() calls to end in a symlink() callthat is of use. A link() would just create a hardlink tothe $DISPLAYUNIX-socket which is useless, except you have anotherfile-remove exploit which you can use to replace/tmp/.X11-unix/X0 before the link() is called.(This would alsoremove the requirement for having console access to exploitthis bug and the need for a race.)

So far. By messing with files and directories inside /run/userwe can create a symlink called display inside arbitrarysystem directories pointing to /tmp/.X11-unix/$DISPLAY./etc/pam.d is a good choice if youhave kcheckpass installed. /etc/cron.d is another, butcrond only accepts root cronjobs from filesowned and writable by root. So placing a display symlinksomewhere to /home/attacker/foo is of no use.But wait; is not root's mailbox mode 0600, owned by rootand writable by users by sending him an email?Yes it is. So lets just do that. crond will ignore leadingand trailing garbage until it finds attackerscronjob. The symlink from /tmp/.X11-unix/$DISPLAY to/var/mail/root is made during the restart of the X11display. Thats why a Ctrl+Alt+Backspace is necessary.As mentioned, this is not needed if you combine anotherfile unlink vulnerability.

I wrote the PoC for a core i5, x86_64 and run it successfullyon a FC16 and a openSUSE 12.1. Since we need to race twotimes, there is no easy pattern to just brute-fork it,as we would race to ourself then. Maybe the use of inotifyis an option to make the PoC more reliable (for me it takes3 or 4 tries to succeed, so thats enough stability for a PoC).